Baffle thy enemy: The case for Honey Encryption

(Phys.org) —Database breaches are making today's headlines, revealing events where thieves scoff up millions of passwords. Security experts meanwhile think about, talk about and work towards fighting against such crimes. A fresh twist in the security arsenal might be to simply baffle criminals by unleashing a flood of data that appears real but is fake. "Honey Encryption" is an approach being proposed to protect sensitive data. You beat attackers by making it difficult to figure out if the password or encryption key they are trying to steal is correct or incorrect.

A discussion about the approach on Wednesday in Threatpost said the tool results in the attacker seeing a plausible-looking password or encryption key which is actually incorrect, and the attacker cannot tell the information is incorrect. The two people behind this Honey Encryption approach is Ari Juels, former chief scientist at computer security company RSA, and Thomas Ristenpart, an assistant professor at the University of Wisconsin.

As it is now, a criminal intruder, with each try of an incorrect key, sees gibberish. The unsuccessful try clearly indicates it is not what he or she wants. With honey encryption, however, trying to guess the password or encryption key becomes mystifying; the attacker is dealing with thousands of, say, fake credit card numbers, and each one looks plausible. A report about their work in MIT Technology Review said Juels was convinced that "by now enough password dumps have leaked online to make it possible to create fakes that accurately mimic collections of real passwords."

In October, Juels had said that "Honeywords and honey-encryption represent some of the first steps toward the principled use of decoys, a time-honored and increasingly important defense in a world of frequent, sophisticated, and damaging security breaches." He said that the honeywords and honey encryption are joint work, respectively, with Ron Rivest and Tom Ristenpart. He said honey-encryption creates "ciphertexts that decrypt under incorrect keys to seemingly valid (decoy) messages."

The Honey Encryption system, meanwhile, will be the subject of a paper later this year when Juels and Ristenpart present their "Honey Encryption: Security Beyond the Brute-Force Bound" at the Eurocrypt conference in May, an event that is focused on cryptographic techniques, in Copenhagen.

Related Stories

Most financial transactions on the Internet are safeguarded by a cryptographic technique called public-key encryption. Where traditional encryption relies on a single secret key, shared by both sender and recipient, public-key ...

(Phys.org) —A trio of researchers in Israel has discovered that it is possible to crack 4096-bit RSA encryption keys using a microphone to listen to high-pitch noises generated by internal computer components. Adi Shamir ...

At least eight researchers or policy experts have withdrawn from an Internet security conference after the sponsor reportedly used flawed encryption technology deliberately in commercial software to allow the National Security ...

Recommended for you

It sounds like a science-fiction nightmare. But "killer robots" have the likes of British scientist Stephen Hawking and Apple co-founder Steve Wozniak fretting, and warning they could fuel ethnic cleansing and an arms race.

Photos. Messages. Bank account codes. And so much more—sit on a person's mobile device, and the question is, how to secure them without having to depend on lengthy password codes of letters and numbers. Vendors promoting ...

A startup team calls their work a product. They also call it a social movement. Many people in the over-7,000 islands in the Philippines lack access to electricity .The startup would like to make a difference. Their main ...

As I said previously, the best defense is to include rubbish in everything. All my PC's respond with rubbish to interrogation. During war mis-information has been the most effective weapon. Those that wish to data mine me better have developed a lie detector. The more crap data they capture the more time they waste and bog them down. Best defense on the internet is lots of data with only you knowing what data is the truth. That's why data mining is ultimately useless, too much information obscures the real picture.